Re: Security Component is Ruining my Life
On Mon, Oct 27, 2014 at 10:38 PM, Florian Krämer bur...@doomzone.de wrote: I've turned the idea into an implementation. Proof of concept goes here: https://github.com/burzum/cakephp/commit/9d8f6b4cb7653dd14130af68dbc632e9055d8d76 Cool! I will try this out... Tarique -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
I've turned the idea into an implementation. Proof of concept goes here: https://github.com/burzum/cakephp/commit/9d8f6b4cb7653dd14130af68dbc632e9055d8d76 This will output the dirty fields as a list below the error message. I hope this is going to make it into the core. :) On Sunday, October 19, 2014 12:26:44 AM UTC+2, glk wrote: Florian... What a wonderful idea. Just wish I understood all of Cake well enough to help implement. I've fought with the Security Component many times and, although I've never lost, it has created many headaches. Hope the Development team can add this functionality during debugging. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
Florian... What a wonderful idea. Just wish I understood all of Cake well enough to help implement. I've fought with the Security Component many times and, although I've never lost, it has created many headaches. Hope the Development team can add this functionality during debugging. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
oh, ok. fair enough if it doesn't know it can't tell me. On 12 September 2014 12:32, mark_story mark.st...@gmail.com wrote: One of the issues with the field hashing is that SecurityComponent doesn't know what is wrong either. It just knows that the hash of the data does not match what was generated in the past. -Mark On Monday, 8 September 2014 21:47:05 UTC-4, #2Will wrote: I've got an app i have been maintaining for a while now. The security component causes more headaches than anything else. In fact, because cakephp is so nice to work with, i think Security Component (SC) causes all the headaches... I've read through the docs a fair bit, i have bits of code scattered around turning off the SC all over the place, which makes me feel sick from 2 points of view: 1. What a mess 2. No SC == not great security. One issue is it doesn't seem to give back enough detail on EXACTLY what went wrong. This morning a form that has no JS has decided to blackhole even though i'm applying the following fugly hack to ask it to leave me alone $this-Security-allowedControllers = array(people); if ( in_array($this-action, array('edit' , 'simport'))){ $this-Security-validatePost = false; } I email myself every time these occur. With details of the error. Which more or less amount to $type = auth - which according to the docs means: Indicates a form validation error, or a controller/action mismatch error. well, i / JS hasn't messed with the form (that's what form validation is about right?) and that is being disabled anyway, and it's showing the form in the action simport and posting to that action, all in the same controller. adding this deeply depressing line of code makes my basic form work: $this-Components-unload('Security'); How can I get much better details of the error? How can I work with SC in a better way so it is generally on, not disabled around the site for assorted poorly understood reasons..? W -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to a topic in the Google Groups CakePHP group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/cake-php/xCYXAwaj-XI/unsubscribe. To unsubscribe from this group and all its topics, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout. -- Will Barker 0424 366 468 -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
Mark wouldn't it be possible to keep track of these changes somehow via debug kit? Save the original keys to session and then do the same comparison with the data that the security component does but without the hashing but an array diff instead? On Friday, September 12, 2014 4:32:32 AM UTC+2, mark_story wrote: One of the issues with the field hashing is that SecurityComponent doesn't know what is wrong either. It just knows that the hash of the data does not match what was generated in the past. -Mark On Monday, 8 September 2014 21:47:05 UTC-4, #2Will wrote: I've got an app i have been maintaining for a while now. The security component causes more headaches than anything else. In fact, because cakephp is so nice to work with, i think Security Component (SC) causes all the headaches... I've read through the docs a fair bit, i have bits of code scattered around turning off the SC all over the place, which makes me feel sick from 2 points of view: 1. What a mess 2. No SC == not great security. One issue is it doesn't seem to give back enough detail on EXACTLY what went wrong. This morning a form that has no JS has decided to blackhole even though i'm applying the following fugly hack to ask it to leave me alone $this-Security-allowedControllers = array(people); if ( in_array($this-action, array('edit' , 'simport'))){ $this-Security-validatePost = false; } I email myself every time these occur. With details of the error. Which more or less amount to $type = auth - which according to the docs means: Indicates a form validation error, or a controller/action mismatch error. well, i / JS hasn't messed with the form (that's what form validation is about right?) and that is being disabled anyway, and it's showing the form in the action simport and posting to that action, all in the same controller. adding this deeply depressing line of code makes my basic form work: $this-Components-unload('Security'); How can I get much better details of the error? How can I work with SC in a better way so it is generally on, not disabled around the site for assorted poorly understood reasons..? W -- This email may contain material that is confidential, privileged and/or work product for the sole use of the intended recipient. Any review, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. Cake Development Corporation. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Cake 3 Security Component black holes add with associations
Any progress? Is there something I did wrong? Did I discover a bug? Thanks for your assistance On Thursday, September 4, 2014 2:28:46 PM UTC+7, José Lorenzo wrote: I will try to reproduce your use case this evening and see if you found a bug. On Wednesday, September 3, 2014 11:40:00 PM UTC+2, heavyKevy wrote: No, following is the add.ctp: echo $this-Form-input('name'); $Selected =0; if($role != 'admin' $role != 'prog-admin') { $Selected = $this-resortId; } echo $this-Form-input('user_id', ['title'='Promotion Resort/Program','options' = $resorts, 'selected'=$Selected]); echo $this-Form-input('start_date'); echo $this-Form-input('end_date'); echo $this-Form-input('passes_allowed'); echo 'Use Shift and/or Control to select as many dealers as needed.'; echo $this-Form-input('users._ids', ['title'='Associated Dealers','options' = $dealers]); On Thu, Sep 4, 2014 at 4:20 AM, José Lorenzo jose...@gmail.com javascript: wrote: Are you creating the second control with javascript? On Wednesday, September 3, 2014 11:09:19 PM UTC+2, heavyKevy wrote: I have promotions owned by a user and associated with other users. The Add screen gives a Select control for selecting the owner and a multi-select for selecting the associated users. In PromotionsTable:: public function initialize(array $config) { $this-table('promotions'); $this-displayField('name'); $this-primaryKey('id'); $this-belongsTo('Users', [ 'foreignKey' = 'user_id', ]); $this-belongsToMany('Users', [ 'foreignKey' = 'promotion_id', 'targetForeignKey' = 'user_id', 'joinTable' = 'promotions_users', ]); } Data saves fine if the security component is not loaded... black holes the request otherwise... Is this a bug or is this by design? -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to a topic in the Google Groups CakePHP group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/cake-php/yVBlSRaGTGI/unsubscribe. To unsubscribe from this group and all its topics, send an email to cake-php+u...@googlegroups.com javascript:. To post to this group, send email to cake...@googlegroups.com javascript:. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
One of the issues with the field hashing is that SecurityComponent doesn't know what is wrong either. It just knows that the hash of the data does not match what was generated in the past. -Mark On Monday, 8 September 2014 21:47:05 UTC-4, #2Will wrote: I've got an app i have been maintaining for a while now. The security component causes more headaches than anything else. In fact, because cakephp is so nice to work with, i think Security Component (SC) causes all the headaches... I've read through the docs a fair bit, i have bits of code scattered around turning off the SC all over the place, which makes me feel sick from 2 points of view: 1. What a mess 2. No SC == not great security. One issue is it doesn't seem to give back enough detail on EXACTLY what went wrong. This morning a form that has no JS has decided to blackhole even though i'm applying the following fugly hack to ask it to leave me alone $this-Security-allowedControllers = array(people); if ( in_array($this-action, array('edit' , 'simport'))){ $this-Security-validatePost = false; } I email myself every time these occur. With details of the error. Which more or less amount to $type = auth - which according to the docs means: Indicates a form validation error, or a controller/action mismatch error. well, i / JS hasn't messed with the form (that's what form validation is about right?) and that is being disabled anyway, and it's showing the form in the action simport and posting to that action, all in the same controller. adding this deeply depressing line of code makes my basic form work: $this-Components-unload('Security'); How can I get much better details of the error? How can I work with SC in a better way so it is generally on, not disabled around the site for assorted poorly understood reasons..? W -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
Don't use it if you think it is a mess and not real security. You can implement secure forms yourself by using field whitelists and a csrf token. I rarely use this component and I manage with those pretty fine On Tuesday, September 9, 2014 3:47:05 AM UTC+2, #2Will wrote: I've got an app i have been maintaining for a while now. The security component causes more headaches than anything else. In fact, because cakephp is so nice to work with, i think Security Component (SC) causes all the headaches... I've read through the docs a fair bit, i have bits of code scattered around turning off the SC all over the place, which makes me feel sick from 2 points of view: 1. What a mess 2. No SC == not great security. One issue is it doesn't seem to give back enough detail on EXACTLY what went wrong. This morning a form that has no JS has decided to blackhole even though i'm applying the following fugly hack to ask it to leave me alone $this-Security-allowedControllers = array(people); if ( in_array($this-action, array('edit' , 'simport'))){ $this-Security-validatePost = false; } I email myself every time these occur. With details of the error. Which more or less amount to $type = auth - which according to the docs means: Indicates a form validation error, or a controller/action mismatch error. well, i / JS hasn't messed with the form (that's what form validation is about right?) and that is being disabled anyway, and it's showing the form in the action simport and posting to that action, all in the same controller. adding this deeply depressing line of code makes my basic form work: $this-Components-unload('Security'); How can I get much better details of the error? How can I work with SC in a better way so it is generally on, not disabled around the site for assorted poorly understood reasons..? W -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security Component is Ruining my Life
I think my hacks to avoid black holes is a mess. I'm sure the component is ace. It does however give off a lot of false positives and looking round the web, not just for me. With that in mind, it would be awesome if it was more expressive about what triggered it. Also, it's awkward having it and then not using it. Once the site gets hacked, ill have to stand at the front and tell all the others why i didn't use the security component. I do a lot of other stuff to white list fields etc to mitigate this (and the site gets penetration tested and hasn't been completely owned yet) so there is some effort going into doing it properly. W On Tuesday, 9 September 2014 18:23:39 UTC+10, José Lorenzo wrote: Don't use it if you think it is a mess and not real security. You can implement secure forms yourself by using field whitelists and a csrf token. I rarely use this component and I manage with those pretty fine On Tuesday, September 9, 2014 3:47:05 AM UTC+2, #2Will wrote: I've got an app i have been maintaining for a while now. The security component causes more headaches than anything else. In fact, because cakephp is so nice to work with, i think Security Component (SC) causes all the headaches... I've read through the docs a fair bit, i have bits of code scattered around turning off the SC all over the place, which makes me feel sick from 2 points of view: 1. What a mess 2. No SC == not great security. One issue is it doesn't seem to give back enough detail on EXACTLY what went wrong. This morning a form that has no JS has decided to blackhole even though i'm applying the following fugly hack to ask it to leave me alone $this-Security-allowedControllers = array(people); if ( in_array($this-action, array('edit' , 'simport'))){ $this-Security-validatePost = false; } I email myself every time these occur. With details of the error. Which more or less amount to $type = auth - which according to the docs means: Indicates a form validation error, or a controller/action mismatch error. well, i / JS hasn't messed with the form (that's what form validation is about right?) and that is being disabled anyway, and it's showing the form in the action simport and posting to that action, all in the same controller. adding this deeply depressing line of code makes my basic form work: $this-Components-unload('Security'); How can I get much better details of the error? How can I work with SC in a better way so it is generally on, not disabled around the site for assorted poorly understood reasons..? W -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Security Component is Ruining my Life
I've got an app i have been maintaining for a while now. The security component causes more headaches than anything else. In fact, because cakephp is so nice to work with, i think Security Component (SC) causes all the headaches... I've read through the docs a fair bit, i have bits of code scattered around turning off the SC all over the place, which makes me feel sick from 2 points of view: 1. What a mess 2. No SC == not great security. One issue is it doesn't seem to give back enough detail on EXACTLY what went wrong. This morning a form that has no JS has decided to blackhole even though i'm applying the following fugly hack to ask it to leave me alone $this-Security-allowedControllers = array(people); if ( in_array($this-action, array('edit' , 'simport'))){ $this-Security-validatePost = false; } I email myself every time these occur. With details of the error. Which more or less amount to $type = auth - which according to the docs means: Indicates a form validation error, or a controller/action mismatch error. well, i / JS hasn't messed with the form (that's what form validation is about right?) and that is being disabled anyway, and it's showing the form in the action simport and posting to that action, all in the same controller. adding this deeply depressing line of code makes my basic form work: $this-Components-unload('Security'); How can I get much better details of the error? How can I work with SC in a better way so it is generally on, not disabled around the site for assorted poorly understood reasons..? W -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Cake 3 Security Component black holes add with associations
I will try to reproduce your use case this evening and see if you found a bug. On Wednesday, September 3, 2014 11:40:00 PM UTC+2, heavyKevy wrote: No, following is the add.ctp: echo $this-Form-input('name'); $Selected =0; if($role != 'admin' $role != 'prog-admin') { $Selected = $this-resortId; } echo $this-Form-input('user_id', ['title'='Promotion Resort/Program','options' = $resorts, 'selected'=$Selected]); echo $this-Form-input('start_date'); echo $this-Form-input('end_date'); echo $this-Form-input('passes_allowed'); echo 'Use Shift and/or Control to select as many dealers as needed.'; echo $this-Form-input('users._ids', ['title'='Associated Dealers','options' = $dealers]); On Thu, Sep 4, 2014 at 4:20 AM, José Lorenzo jose@gmail.com wrote: Are you creating the second control with javascript? On Wednesday, September 3, 2014 11:09:19 PM UTC+2, heavyKevy wrote: I have promotions owned by a user and associated with other users. The Add screen gives a Select control for selecting the owner and a multi-select for selecting the associated users. In PromotionsTable:: public function initialize(array $config) { $this-table('promotions'); $this-displayField('name'); $this-primaryKey('id'); $this-belongsTo('Users', [ 'foreignKey' = 'user_id', ]); $this-belongsToMany('Users', [ 'foreignKey' = 'promotion_id', 'targetForeignKey' = 'user_id', 'joinTable' = 'promotions_users', ]); } Data saves fine if the security component is not loaded... black holes the request otherwise... Is this a bug or is this by design? -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to a topic in the Google Groups CakePHP group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/cake-php/yVBlSRaGTGI/unsubscribe. To unsubscribe from this group and all its topics, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Cake 3 Security Component black holes add with associations
Ok, Thank you... On Thursday, September 4, 2014 4:09:19 AM UTC+7, heavyKevy wrote: I have promotions owned by a user and associated with other users. The Add screen gives a Select control for selecting the owner and a multi-select for selecting the associated users. In PromotionsTable:: public function initialize(array $config) { $this-table('promotions'); $this-displayField('name'); $this-primaryKey('id'); $this-belongsTo('Users', [ 'foreignKey' = 'user_id', ]); $this-belongsToMany('Users', [ 'foreignKey' = 'promotion_id', 'targetForeignKey' = 'user_id', 'joinTable' = 'promotions_users', ]); } Data saves fine if the security component is not loaded... black holes the request otherwise... Is this a bug or is this by design? -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Cake 3 Security Component black holes add with associations
I have promotions owned by a user and associated with other users. The Add screen gives a Select control for selecting the owner and a multi-select for selecting the associated users. In PromotionsTable:: public function initialize(array $config) { $this-table('promotions'); $this-displayField('name'); $this-primaryKey('id'); $this-belongsTo('Users', [ 'foreignKey' = 'user_id', ]); $this-belongsToMany('Users', [ 'foreignKey' = 'promotion_id', 'targetForeignKey' = 'user_id', 'joinTable' = 'promotions_users', ]); } Data saves fine if the security component is not loaded... black holes the request otherwise... Is this a bug or is this by design? -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Cake 3 Security Component black holes add with associations
Are you creating the second control with javascript? On Wednesday, September 3, 2014 11:09:19 PM UTC+2, heavyKevy wrote: I have promotions owned by a user and associated with other users. The Add screen gives a Select control for selecting the owner and a multi-select for selecting the associated users. In PromotionsTable:: public function initialize(array $config) { $this-table('promotions'); $this-displayField('name'); $this-primaryKey('id'); $this-belongsTo('Users', [ 'foreignKey' = 'user_id', ]); $this-belongsToMany('Users', [ 'foreignKey' = 'promotion_id', 'targetForeignKey' = 'user_id', 'joinTable' = 'promotions_users', ]); } Data saves fine if the security component is not loaded... black holes the request otherwise... Is this a bug or is this by design? -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Cake 3 Security Component black holes add with associations
No, following is the add.ctp: echo $this-Form-input('name'); $Selected =0; if($role != 'admin' $role != 'prog-admin') { $Selected = $this-resortId; } echo $this-Form-input('user_id', ['title'='Promotion Resort/Program','options' = $resorts, 'selected'=$Selected]); echo $this-Form-input('start_date'); echo $this-Form-input('end_date'); echo $this-Form-input('passes_allowed'); echo 'Use Shift and/or Control to select as many dealers as needed.'; echo $this-Form-input('users._ids', ['title'='Associated Dealers','options' = $dealers]); On Thu, Sep 4, 2014 at 4:20 AM, José Lorenzo jose@gmail.com wrote: Are you creating the second control with javascript? On Wednesday, September 3, 2014 11:09:19 PM UTC+2, heavyKevy wrote: I have promotions owned by a user and associated with other users. The Add screen gives a Select control for selecting the owner and a multi-select for selecting the associated users. In PromotionsTable:: public function initialize(array $config) { $this-table('promotions'); $this-displayField('name'); $this-primaryKey('id'); $this-belongsTo('Users', [ 'foreignKey' = 'user_id', ]); $this-belongsToMany('Users', [ 'foreignKey' = 'promotion_id', 'targetForeignKey' = 'user_id', 'joinTable' = 'promotions_users', ]); } Data saves fine if the security component is not loaded... black holes the request otherwise... Is this a bug or is this by design? -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to a topic in the Google Groups CakePHP group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/cake-php/yVBlSRaGTGI/unsubscribe. To unsubscribe from this group and all its topics, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security component and SQL Injection
@Jose: good to know ... logical cause of the dropped table was someone getting their hands on the database login credentials. @Dakota: thanks, will keep an eye out for that, not that it's a factor in this situation. On Friday, June 13, 2014 4:52:22 AM UTC+1, Dakota wrote: Just one thing to note is that the updateall method doesn't do all escaping. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security component and SQL Injection
No, the security component does not prevent you against that. There most be some place where you are passing raw input into a query. On Thursday, June 12, 2014 1:28:03 AM UTC+2, phpMagpie wrote: Hi, I've just launched a site for a client that had quite a big form in it that people were spending a long time trying to complete. Because some people were walking away form the form then coming back later and trying to submit their security tokens were expiring so the client asked me to disable security for that form. I did the following: if ($this-request-action == 'add') { $this-Security-validatePost = false; $this-Security-csrfCheck = false; } Fast forward to this evening and someone has managed to delete the users table from the database. Could disabling validatePost and csrfCheck have allowed someone to do SQL Inject a table drop? Thanks, Paul. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security component and SQL Injection
I personally do not think the site was the victim of an SQL Injection as I am not passing any raw queries into the system anywhere. The more realistic cause of the problem is I shared phpMyAdmin user details with the client and they accidentally deleted the table themselves, or the login details were made available to someone else who did this. If this was an injection attack, I would expect them to do more than remove one table from one database. I don't like to jump to conclusions though, so just wanted to know if my configuration has somehow opened up the possibility of SQL Injection. Thanks, Paul. On Thursday, 12 June 2014 11:36:00 UTC+1, José Lorenzo wrote: No, the security component does not prevent you against that. There most be some place where you are passing raw input into a query. On Thursday, June 12, 2014 1:28:03 AM UTC+2, phpMagpie wrote: Hi, I've just launched a site for a client that had quite a big form in it that people were spending a long time trying to complete. Because some people were walking away form the form then coming back later and trying to submit their security tokens were expiring so the client asked me to disable security for that form. I did the following: if ($this-request-action == 'add') { $this-Security-validatePost = false; $this-Security-csrfCheck = false; } Fast forward to this evening and someone has managed to delete the users table from the database. Could disabling validatePost and csrfCheck have allowed someone to do SQL Inject a table drop? Thanks, Paul. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security component and SQL Injection
As long as you are using the Model API and not passing raw strings of SQL to it then you should be safe On Thursday, June 12, 2014 12:56:10 PM UTC+2, phpMagpie wrote: I personally do not think the site was the victim of an SQL Injection as I am not passing any raw queries into the system anywhere. The more realistic cause of the problem is I shared phpMyAdmin user details with the client and they accidentally deleted the table themselves, or the login details were made available to someone else who did this. If this was an injection attack, I would expect them to do more than remove one table from one database. I don't like to jump to conclusions though, so just wanted to know if my configuration has somehow opened up the possibility of SQL Injection. Thanks, Paul. On Thursday, 12 June 2014 11:36:00 UTC+1, José Lorenzo wrote: No, the security component does not prevent you against that. There most be some place where you are passing raw input into a query. On Thursday, June 12, 2014 1:28:03 AM UTC+2, phpMagpie wrote: Hi, I've just launched a site for a client that had quite a big form in it that people were spending a long time trying to complete. Because some people were walking away form the form then coming back later and trying to submit their security tokens were expiring so the client asked me to disable security for that form. I did the following: if ($this-request-action == 'add') { $this-Security-validatePost = false; $this-Security-csrfCheck = false; } Fast forward to this evening and someone has managed to delete the users table from the database. Could disabling validatePost and csrfCheck have allowed someone to do SQL Inject a table drop? Thanks, Paul. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security component and SQL Injection
Just one thing to note is that the updateall method doesn't do all escaping. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Security component and SQL Injection
Hi, I've just launched a site for a client that had quite a big form in it that people were spending a long time trying to complete. Because some people were walking away form the form then coming back later and trying to submit their security tokens were expiring so the client asked me to disable security for that form. I did the following: if ($this-request-action == 'add') { $this-Security-validatePost = false; $this-Security-csrfCheck = false; } Fast forward to this evening and someone has managed to delete the users table from the database. Could disabling validatePost and csrfCheck have allowed someone to do SQL Inject a table drop? Thanks, Paul. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security component and SQL Injection
I thought it would more depend on how you are writing changes to the database. If you're going via the model, with ::create and ::save methods, then users shouldn't be able to inject a truncate or drop. I say shouldn't because that is my understanding of how it is supposed to work, but I've never gone out of my way to test it. However, if you're using ::query, then that might be possible, if queries are not appropriately sanitized. Regards Reuben Helms On Thursday, 12 June 2014 09:28:03 UTC+10, phpMagpie wrote: Hi, I've just launched a site for a client that had quite a big form in it that people were spending a long time trying to complete. Because some people were walking away form the form then coming back later and trying to submit their security tokens were expiring so the client asked me to disable security for that form. I did the following: if ($this-request-action == 'add') { $this-Security-validatePost = false; $this-Security-csrfCheck = false; } Fast forward to this evening and someone has managed to delete the users table from the database. Could disabling validatePost and csrfCheck have allowed someone to do SQL Inject a table drop? Thanks, Paul. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security component and SQL Injection
Yeah, everything is done via Model::save() and your understanding is the same as mine. If anyone does know otherwise would be good to know. Thanks, Paul. On Thursday, 12 June 2014 01:17:12 UTC+1, Reuben wrote: I thought it would more depend on how you are writing changes to the database. If you're going via the model, with ::create and ::save methods, then users shouldn't be able to inject a truncate or drop. I say shouldn't because that is my understanding of how it is supposed to work, but I've never gone out of my way to test it. However, if you're using ::query, then that might be possible, if queries are not appropriately sanitized. Regards Reuben Helms On Thursday, 12 June 2014 09:28:03 UTC+10, phpMagpie wrote: Hi, I've just launched a site for a client that had quite a big form in it that people were spending a long time trying to complete. Because some people were walking away form the form then coming back later and trying to submit their security tokens were expiring so the client asked me to disable security for that form. I did the following: if ($this-request-action == 'add') { $this-Security-validatePost = false; $this-Security-csrfCheck = false; } Fast forward to this evening and someone has managed to delete the users table from the database. Could disabling validatePost and csrfCheck have allowed someone to do SQL Inject a table drop? Thanks, Paul. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.
Re: Security Component Question
Check the Code http://api.cakephp.org/2.4/source-class-SecurityComponent.html#322-338 Blackholing is nothing more than throwing a BadRequestException or triggering a callback. I would not use an exception in that place. On Friday, December 27, 2013 7:37:24 PM UTC+1, advantage+ wrote: Is there a way to force call blackhole based on model validation rules? I have a validation method that I would like to call the blackhole if it fails. Thanks, Dave -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
Security Component Help
I want to make action requests more secure by implementing the Restricting HTTP methods { requirePost(),requireGet(), requirePut(), requireDelete()} but running into a bit of an issue. For an add request for example via ajax I have to fetch the form (get) and load it into the colorbox, and save the input gets sent as post. So the add method invokes 2 separate HTTP methods. Other than break the public function add() into 2 separate functions such as public function load() // fetch the form via get and then public function save()// post to save the data Is there another way to accomplish this without having to break up the function? I currently have: public function save(){ //load the form if($this-request-is('ajax') $this-request-is('get')) { . } //save the form if (!empty($this-request-data) $this-request-is('post')) { .. } } Any ideas anyone the best way to handle this? Thanks, Dave -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
Security Component Question
Is there a way to force call blackhole based on model validation rules? I have a validation method that I would like to call the blackhole if it fails. Thanks, Dave -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
edit form needs to be submitted two times while using security component
Hi Friends, Can anyone help me out with this , i have a edit form with security component , it needs to be submitted two times i have checked in console , in form security component hidden token METHOD IN by default PUT , when i click submit first time it changes to post ,then second time when i click submit form gets submitted, please let me know how can i fix this ,its very strange to click submit two times... Thnaks, Vinod -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Security Component can't be called in Controller
In any of the controller files if I call the Security component (not doing anything beyond that), certain pages of my website crash. Here's what I have currently for $components. The site works fine with this: var $components = array('Auth','Session','Email'); But when I add 'Security': var $components = array('Auth','Session','Email','Security'); When the above change happens some of the webpages that get POST data from others pages stop loading all together. Once removed, the site starts functioning normally. All I get is a blank screen. The \cake\libs\controller\components directory clearly shows a security.php file. Any ideas on what's causing this? -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Security component and data posted from external site
I'm using 2.3 beta and the Security component. I have a site that is posting data to a controller action but the Security component blocks the request; so I don't get $this-request-data and the code fails. If I disable the Security component in beforeFilter for this action the data gets through OK. The next screen the user sees is a log in screen, but as the Security component was disabled when it was created it doesn't contain the _tokens so the subsequent log in fails ($this-request-is('post') returns false). I have tried $this-Security-unlockedActions = array('action_name'); but that seems to have no effect (it's as if Security component is still active). Anyone got any clues or advice please? -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en.
Re: Security component and data posted from external site
My solution is to receive the post via one action then redirect to the log in action. Security::unlockedActions doesn't seem to work though (I must be doing it wrong?); I have to check for the initial action and disable the Security component. After the redirect the action is different, so the component is enabled again. Whilst it's working this doesn't feel like I'm getting it right so would welcome any tips or guidance. Jeremy Burns Class Outfit http://www.classoutfit.com On 7 Dec 2012, at 15:14:16, Jeremy Burns jeremybu...@classoutfit.com wrote: I'm using 2.3 beta and the Security component. I have a site that is posting data to a controller action but the Security component blocks the request; so I don't get $this-request-data and the code fails. If I disable the Security component in beforeFilter for this action the data gets through OK. The next screen the user sees is a log in screen, but as the Security component was disabled when it was created it doesn't contain the _tokens so the subsequent log in fails ($this-request-is('post') returns false). I have tried $this-Security-unlockedActions = array('action_name'); but that seems to have no effect (it's as if Security component is still active). Anyone got any clues or advice please? -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en.
Re: Problems with ajax and security component.
I am struggling with the exact same problem.. If anyone have a suggestion??? see: http://stackoverflow.com/questions/11869336/cakephp-2-1-making-a-jquery-ajax-call-with-security-component-activated -Tom kl. 21:41:18 UTC+1 torsdag 8. desember 2011 skrev porangi.chris følgende: Hi, I'm having issues with running Ajax and the security component alongside each other. Security works fine on the other forms. Ajax works fine if Security is commented out. Security is included in the App Controller alongside other components 'Security' = array( 'csrfExpires' = '+2 hour' ) and I've added the line into AppController:BeforeFilter. $this-Security-blackHoleCallback = '_fail'; I've tried this in the beforeFilter function of the controller but not work: if(isset($this-Security) $this-action == 'tracker') { $this-Security-csrfCheck = false; } basically I have a ajax query which fails: function update_log() { //This is our ajax call. jQuery.ajax({ type: 'POST', url: ?php echo Configure::read('Link.site'); ?/logs/ tracker, data : {lat: latitude, lon:longitude, resource:resource}, dataType : 'json', success: function(data) { jQuery('input#logid').val(data.log); } }); //End Visitor Code I tried to construct a hidden form which I serialised and sent which had the tokens but this failed too. Please help - this needs to go live :( Thanks Chris -- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en-US.
Re: CakePHP shows a blank page on PHP errors when using Security component
Nobody has an idea? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
CakePHP shows a blank page on PHP errors when using Security component
Hello, I'm trying to investigate a problem with CakePHP ver. 2.0.5 - when there is an error in controller class (i.e. trying to create an object from nonexistent class) I get a blank page rendered, no errors, warnings or sql dumps. Debug level is set to 2 in Config/core.php. Problem appears only when Security component is included in AppController.php. Here is sample code: /*file app/Controller/AppController.php*/ ?php class AppController extends Controller { public $helpers = array( 'Html', 'Js' = array('Jquery'), 'Form', 'Session' ); public $components = array( 'Security' 'RequestHandler', 'Session', 'Acl' ); public function blackhole ($type) { pr('Security blackhole ' . $type); } public function beforeFilter ($noAction = false) { parent::beforeFilter(); $this-Security-blackHoleCallback = 'blackhole'; } public function beforeRender() { parent::beforeRender(); } public function afterFilter() { parent::afterFilter(); } } ? /*file app/Controller/CustomerDetailsController.php*/ class CustomerDetailsController extends AppController{ public $name = 'CustomerDetails'; public function beforeFilter() { parent::beforeFilter(); } public function create(){ $this-autoRender = false; //Just for testing purpose - Cake doesn't render the view pr('controller action'); //Never showed $xfgb = new sfg; //Nonexistent class } } ? /*file app/Model/CustomerDetail.php*/ ?php class CustomerDetail extends AppModel{ public $name='CustomerDetail'; } ? Removing the Security component from the $components array makes the trick - the application shows PHP error: Fatal error: Class 'sfg' not found in APP/Controller/ CustomerDetailsController.php on line 14, but with Security component enabled page is completely blank making debugging hard (I can see the PHP error in apache logs though). Another oddity is that restarting the apache web server causes error to appear just once - the first load of the page app/CustomerDetails/ create is with raised error on it, but all reloads after that end with blank page. Restarting apache and voila - error is here again only on first page load. I've created a simple PHP script with object instance of nonexistent class outside CakePHP and it works as expected - every call ends with PHP fatal error that class was not found. Any help will be appreciated. Regards, Niki -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security Component: blackhole with no, erm, whitehole?
Thanks, Jeremy. I think I'm going to opt for roughly the same thing. Use my pushSSL() function - analogous to your __unforceSSL() - on all controllers that don't require SSL, then use the switching style for those that do require SSL. It just seems weird to me that they have a function in Security which is meant to identify which actions require SSL, but they don't have a native function for pushing people *off* SSL. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Security Component: blackhole with no, erm, whitehole?
Here's what I don't get about the Security Component: if there's an option to use the blackholeCallback for requireSecure, why is there no option to provide a callback for anything else? I'm using this system as outlined in the book to force SSL on certain actions. But I'd like to force people back off SSL after they're done accessing the secure areas. But this system only allows one-way action. Am I missing anything obvious? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security Component: blackhole with no, erm, whitehole?
Can anyone help me out, here? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security Component: blackhole with no, erm, whitehole?
Here's how I did this on an app (this is 1.3 but I'd guess it'd be fairly easy to transpose to 2.0 if needed). In app_controller create a function: function __requireSecure() { ... conditions to check ... return true if SSL is needed ... return false by default } Create two other functions (looking at them they could be merged into a single function, but hey): function __forceSSL() { if (!env('HTTPS') == 1) { $this-redirect('https://' . env('SERVER_NAME') . $this-here); } } function __unforceSSL() { if (env('HTTPS') == 1) { $this-redirect('http://' . env('SERVER_NAME') . $this-here); } } Then in beforeFilter: if ($this-__requireSecure()) { $this-Security-blackHoleCallback = '__forceSSL'; $this-Security-requireSecure(); } else { $this-__unforceSSL(); } This can probably be improved, but it works. Jeremy Burns Class Outfit http://www.classoutfit.com Jeremy Burns Class Outfit http://www.classoutfit.com On 4 Jan 2012, at 18:05:35, DragonFlyEye wrote: Can anyone help me out, here? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Problems with ajax and security component.
Hi Miles, Jose, Thanks for your input but I've tried that and it hasn't helped in the slightest. Does it make any difference that I'm using Cake 2. Currently I have: function beforeFilter() { echo BeforeFilterLog; if(isset($this-Security) $this-action == 'tracker') { echo SettingFalse; $this-Security-validatePost = false; } parent::beforeFilter(); $this-Auth-allow('tracker', 'trackPlayer'); } as my beforeFilter function and am getting the echos out. So something happens after that to stop the process. The top of my action function looks like: public function tracker() { echo tracker; //We don't need a view $this-autoRender = false; //Is this an Ajax call. if ($this-RequestHandler-isAjax()) { but this echo never gets called so the function is obviously being binned before then. Could it be something due to Auth? Really appreciate the help especially if you have any other ideas Chris. On Dec 8, 4:45 pm, Miles J mileswjohn...@gmail.com wrote: Yeah I ran into this as well, Jose has the correct answer. https://github.com/milesj/cake-ajax_handler/blob/master/Controller/Co... On Dec 8, 12:54 pm, José Lorenzo jose@gmail.com wrote: set 'validatePost' = false for the security component in that action -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Problems with ajax and security component.
Hi, I'm having issues with running Ajax and the security component alongside each other. Security works fine on the other forms. Ajax works fine if Security is commented out. Security is included in the App Controller alongside other components 'Security' = array( 'csrfExpires' = '+2 hour' ) and I've added the line into AppController:BeforeFilter. $this-Security-blackHoleCallback = '_fail'; I've tried this in the beforeFilter function of the controller but not work: if(isset($this-Security) $this-action == 'tracker') { $this-Security-csrfCheck = false; } basically I have a ajax query which fails: function update_log() { //This is our ajax call. jQuery.ajax({ type: 'POST', url: ?php echo Configure::read('Link.site'); ?/logs/ tracker, data : {lat: latitude, lon:longitude, resource:resource}, dataType : 'json', success: function(data) { jQuery('input#logid').val(data.log); } }); //End Visitor Code I tried to construct a hidden form which I serialised and sent which had the tokens but this failed too. Please help - this needs to go live :( Thanks Chris -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Problems with ajax and security component.
set 'validatePost' = false for the security component in that action -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Problems with ajax and security component.
Yeah I ran into this as well, Jose has the correct answer. https://github.com/milesj/cake-ajax_handler/blob/master/Controller/Component/AjaxHandlerComponent.php#L84 On Dec 8, 12:54 pm, José Lorenzo jose@gmail.com wrote: set 'validatePost' = false for the security component in that action -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Dealing with Security component in a CakePHP 2 test case
I am trying to test a CakePHP action that deals with a signup form secured with the `Security` component. I have configured the component in a UsersController like this: public $components = array( 'Security' = array('unlockedFields' = array('password_again')), ); I can execute the action in a browser, but whenever I run the test case it fails with the following message: The request has been black-holed I have tried to disable the validation inside the test case in several ways: $this-Users-Security-enable = false; $this-Users-Security-validatePost = false; $this-Users-Security = null; // desperate measure :) // still fails $this-testAction('/signup', array('data' = array(...), 'return' = 'contents')); But the test insists in using the `Security` validation of `POST` request. I am using CakePHP 2.0.3 and PHPUnit 3.6.3. By the way, I am not using the `UsersController` directly, but a `TestUsersController` class that CakePHP baked for me (as a replacement for `generate` method, I think). What's the right way of dealing with Security component in a test case? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Dealing with Security component in a CakePHP 2 test case
I have also tried $this-Users-Components-disable('Security'); On Nov 18, 1:55 pm, elitalon elita...@gmail.com wrote: I am trying to test a CakePHP action that deals with a signup form secured with the `Security` component. I have configured the component in a UsersController like this: public $components = array( 'Security' = array('unlockedFields' = array('password_again')), ); I can execute the action in a browser, but whenever I run the test case it fails with the following message: The request has been black-holed I have tried to disable the validation inside the test case in several ways: $this-Users-Security-enable = false; $this-Users-Security-validatePost = false; $this-Users-Security = null; // desperate measure :) // still fails $this-testAction('/signup', array('data' = array(...), 'return' = 'contents')); But the test insists in using the `Security` validation of `POST` request. I am using CakePHP 2.0.3 and PHPUnit 3.6.3. By the way, I am not using the `UsersController` directly, but a `TestUsersController` class that CakePHP baked for me (as a replacement for `generate` method, I think). What's the right way of dealing with Security component in a test case? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security component and long delays
Thanks Andy. On 13 Oct 2011, at 14:38, AD7six wrote: On Oct 13, 2:13 pm, Jeremy Burns jeremybu...@classoutfit.com wrote: I'm developing a corporate application that'll be used as part of people's day jobs. It is not unlikely that they will be in the middle of something, lock up their PC and go home for the night. When they come back in they'll unlock their PC and want to pick up where they left off. If they were in the middle of some data management with forms using the security component, the form will look like it's ready to go, they'll enter some more data and hit submit but they will be immediately blackholed. All they will see is a blank screen and think 'bug'. What is the best way of handling this more gracefully? How can I direct then to a log in screen or at least an info page? Is your app 1.3 based? The short answer is override the blackHole callback, check the $reason, and then do whatever you want. AFAIK that's the default behavior (meaning redirect on blackhole) in 2.0 anyway: https://github.com/cakephp/cakephp/blob/2.0/lib/Cake/Controller/Component/SecurityComponent.php#L276 If you want to be nice - You may want to do some store-form-data-to- cookie/persistentStorage js so that after reloading the page you have the possibility to repopulate the form with the data they previously entered. AD -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Security component and long delays
I'm developing a corporate application that'll be used as part of people's day jobs. It is not unlikely that they will be in the middle of something, lock up their PC and go home for the night. When they come back in they'll unlock their PC and want to pick up where they left off. If they were in the middle of some data management with forms using the security component, the form will look like it's ready to go, they'll enter some more data and hit submit but they will be immediately blackholed. All they will see is a blank screen and think 'bug'. What is the best way of handling this more gracefully? How can I direct then to a log in screen or at least an info page? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security component and long delays
On Oct 13, 2:13 pm, Jeremy Burns jeremybu...@classoutfit.com wrote: I'm developing a corporate application that'll be used as part of people's day jobs. It is not unlikely that they will be in the middle of something, lock up their PC and go home for the night. When they come back in they'll unlock their PC and want to pick up where they left off. If they were in the middle of some data management with forms using the security component, the form will look like it's ready to go, they'll enter some more data and hit submit but they will be immediately blackholed. All they will see is a blank screen and think 'bug'. What is the best way of handling this more gracefully? How can I direct then to a log in screen or at least an info page? Is your app 1.3 based? The short answer is override the blackHole callback, check the $reason, and then do whatever you want. AFAIK that's the default behavior (meaning redirect on blackhole) in 2.0 anyway: https://github.com/cakephp/cakephp/blob/2.0/lib/Cake/Controller/Component/SecurityComponent.php#L276 If you want to be nice - You may want to do some store-form-data-to- cookie/persistentStorage js so that after reloading the page you have the possibility to repopulate the form with the data they previously entered. AD -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: security component
Thanks a lot Jens, I think I'll model it this way. Perhaps using a small ajax popup which contains the token instead of a new frame just asking if the record should be deleted. On 13 Aug., 13:03, Jens Dittrich jdittr...@gmail.com wrote: No or it depends on what you want to happen when a delete link is clicked. No one forces you to commit a delete on a click on a link. As an example, you could always display a page requesting a confirm for the delete request, which could carry a token for that request. That way you could not delete by just firing a get request. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: security component
No or it depends on what you want to happen when a delete link is clicked. No one forces you to commit a delete on a click on a link. As an example, you could always display a page requesting a confirm for the delete request, which could carry a token for that request. That way you could not delete by just firing a get request. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: security component
I was able to solve the first question myself: In my controller actions I allways check if(this-data) before saving or editing a record. If variables are passed via get (harmfull link for example), $this- data is empty and nothing harmfull can happen. In other words, without using post method its not possible to add or edit a record. Hence, security-requirePost just seems to be neccessary for the delete actions. Still, do I have to replace all delete links with small forms which contain the authentication token? On Aug 11, 5:54 pm, Özgür Demir oet...@googlemail.com wrote: Hi every body, I'm pretty sure this must have been answered somewhere. However I wasn't able to find an answer yet. I have two question regarding the security component. 1. Authentification tokens seem to be checked by the security component only if data is passed via post. I assume this since my delete action is performed through a delete link even if the action is protected by the security component. This makes the security component useless for CSRF without the use of security-requirePost(). Am I right with this? 2. Its obvious that my add/edit links are not working if using requirePost('add','edit'), I could solve this by adding requirePost('add','edit') only if data is submitted by the user like this: in beforeFilter if(this-data){ security-requirePots('add,'edit') } But how do I handle the delete links? Do I have to replace all of them with small forms which contain the authentication token? Thanks for your help... -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
security component
Hi every body, I'm pretty sure this must have been answered somewhere. However I wasn't able to find an answer yet. I have two question regarding the security component. 1. Authentification tokens seem to be checked by the security component only if data is passed via post. I assume this since my delete action is performed through a delete link even if the action is protected by the security component. This makes the security component useless for CSRF without the use of security-requirePost(). Am I right with this? 2. Its obvious that my add/edit links are not working if using requirePost('add','edit'), I could solve this by adding requirePost('add','edit') only if data is submitted by the user like this: in beforeFilter if(this-data){ security-requirePots('add,'edit') } But how do I handle the delete links? Do I have to replace all of them with small forms which contain the authentication token? Thanks for your help... -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Generel problem with the security component.
Hi Cake Community, Cakephp Version: 1.3.8 OS: Windows7 Experience: Newbie I have a generel problem with the security component. 1.) well, i have following actions(add, edit) in my controller. If i call in beforeFilter(), like this, $this-Security- requireAuth('add'), the requireAuth generated in edit view a token_key too. Is that right or do i something wrong. According to Cake-API: http://book.cakephp.org/view/1301/requireAuth may not happen! 2.) If i change the tokey_key and make a request i dont get a 404- Page. It only shows a white/blank page. Somebody told me: set ur debug mode to o and after then u get the 404-Page. Nothing works :( 3.) My Basic HTTP Authentication is not working right, too: public function beforeFilter() { $this-Security-requireLogin( 'edit', 'add' ); $this-Security-loginOptions = array( 'type' = 'basic', 'realm' = 'MyRealm' ); $this-Securtiy-loginUsers = array( 'guest' = 'test' ); } The requireLogin('edit', 'add') works right but it is doesnt accept username and passwort? Why Thanks -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Security component and HTTP Basic Authentication
I've read this article http://book.cakephp.org/view/1309/Basic-HTTP-Authentication Now I've a lot of controller with many actions to protect, so I could consider the idea to insert that beforeFilter directly inside AppController (and not in the single controller), so every action will be protected. Am I right? Now I have just one action that doesn't need authentication, what should I write inside that action to avoid auth -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
RE: Security component and HTTP Basic Authentication
$this-Auth-allowedActions = array(); //will allow nothing $this-Auth-allowedActions = array('login'); //only allow the action in the array These are set in the controller itself so you could specify just the 1 allowed action for that controller. K -Original Message- From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf Of Mariano C. Sent: Wednesday, April 06, 2011 5:13 AM To: CakePHP Subject: Security component and HTTP Basic Authentication I've read this article http://book.cakephp.org/view/1309/Basic-HTTP-Authentication Now I've a lot of controller with many actions to protect, so I could consider the idea to insert that beforeFilter directly inside AppController (and not in the single controller), so every action will be protected. Am I right? Now I have just one action that doesn't need authentication, what should I write inside that action to avoid auth -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security component and HTTP Basic Authentication
So I need in couple Auth and Security component? On 6 Apr, 09:54, Krissy Masters naked.cake.ba...@gmail.com wrote: $this-Auth-allowedActions = array(); //will allow nothing $this-Auth-allowedActions = array('login'); //only allow the action in the array These are set in the controller itself so you could specify just the 1 allowed action for that controller. K -Original Message- From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf Of Mariano C. Sent: Wednesday, April 06, 2011 5:13 AM To: CakePHP Subject: Security component and HTTP Basic Authentication I've read this articlehttp://book.cakephp.org/view/1309/Basic-HTTP-Authentication Now I've a lot of controller with many actions to protect, so I could consider the idea to insert that beforeFilter directly inside AppController (and not in the single controller), so every action will be protected. Am I right? Now I have just one action that doesn't need authentication, what should I write inside that action to avoid auth -- Our newest site for the community: CakePHP Video Tutorialshttp://tv.cakephp.org Check out the new CakePHP Questions sitehttp://ask.cakephp.organd help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security component and HTTP Basic Authentication
I don't need a complete mechanism of authentication. I just want to protect every action with http basic and leave just one action unprotected. As soon add Auth component I should create users table and so on, and I would avoid this. On 6 Apr, 10:01, Mariano C. mariano.calan...@gmail.com wrote: So I need in couple Auth and Security component? On 6 Apr, 09:54, Krissy Masters naked.cake.ba...@gmail.com wrote: $this-Auth-allowedActions = array(); //will allow nothing $this-Auth-allowedActions = array('login'); //only allow the action in the array These are set in the controller itself so you could specify just the 1 allowed action for that controller. K -Original Message- From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf Of Mariano C. Sent: Wednesday, April 06, 2011 5:13 AM To: CakePHP Subject: Security component and HTTP Basic Authentication I've read this articlehttp://book.cakephp.org/view/1309/Basic-HTTP-Authentication Now I've a lot of controller with many actions to protect, so I could consider the idea to insert that beforeFilter directly inside AppController (and not in the single controller), so every action will be protected. Am I right? Now I have just one action that doesn't need authentication, what should I write inside that action to avoid auth -- Our newest site for the community: CakePHP Video Tutorialshttp://tv.cakephp.org Check out the new CakePHP Questions sitehttp://ask.cakephp.organdhelp others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
RE: Security component and HTTP Basic Authentication
Correct Auth is for User authentication (login / out) Security for security of the forms basically -Original Message- From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf Of Mariano C. Sent: Wednesday, April 06, 2011 5:32 AM To: CakePHP Subject: Re: Security component and HTTP Basic Authentication So I need in couple Auth and Security component? On 6 Apr, 09:54, Krissy Masters naked.cake.ba...@gmail.com wrote: $this-Auth-allowedActions = array(); //will allow nothing $this-Auth-allowedActions = array('login'); //only allow the action in the array These are set in the controller itself so you could specify just the 1 allowed action for that controller. K -Original Message- From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf Of Mariano C. Sent: Wednesday, April 06, 2011 5:13 AM To: CakePHP Subject: Security component and HTTP Basic Authentication I've read this articlehttp://book.cakephp.org/view/1309/Basic-HTTP-Authentication Now I've a lot of controller with many actions to protect, so I could consider the idea to insert that beforeFilter directly inside AppController (and not in the single controller), so every action will be protected. Am I right? Now I have just one action that doesn't need authentication, what should I write inside that action to avoid auth -- Our newest site for the community: CakePHP Video Tutorialshttp://tv.cakephp.org Check out the new CakePHP Questions sitehttp://ask.cakephp.organd help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
RE: Security component and HTTP Basic Authentication
Are you talking actions or pages? If you do not want something accessed then you can _preUnderscoreTheName so not accessable via url. Your building a site that has many pages but only 1 page you can visit publically but no login to the other pages so they are never accessable by anyone makes zero sense...have you read your own question? -Original Message- From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf Of Mariano C. Sent: Wednesday, April 06, 2011 7:17 AM To: CakePHP Subject: Re: Security component and HTTP Basic Authentication I don't need a complete mechanism of authentication. I just want to protect every action with http basic and leave just one action unprotected. As soon add Auth component I should create users table and so on, and I would avoid this. On 6 Apr, 10:01, Mariano C. mariano.calan...@gmail.com wrote: So I need in couple Auth and Security component? On 6 Apr, 09:54, Krissy Masters naked.cake.ba...@gmail.com wrote: $this-Auth-allowedActions = array(); //will allow nothing $this-Auth-allowedActions = array('login'); //only allow the action in the array These are set in the controller itself so you could specify just the 1 allowed action for that controller. K -Original Message- From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf Of Mariano C. Sent: Wednesday, April 06, 2011 5:13 AM To: CakePHP Subject: Security component and HTTP Basic Authentication I've read this articlehttp://book.cakephp.org/view/1309/Basic-HTTP-Authentication Now I've a lot of controller with many actions to protect, so I could consider the idea to insert that beforeFilter directly inside AppController (and not in the single controller), so every action will be protected. Am I right? Now I have just one action that doesn't need authentication, what should I write inside that action to avoid auth -- Our newest site for the community: CakePHP Video Tutorialshttp://tv.cakephp.org Check out the new CakePHP Questions sitehttp://ask.cakephp.organdhelp others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security component and HTTP Basic Authentication
Actually - he asked for http basic digest authentication. Meaning all of his protected pages will pop up the browser credential window instead of the html form based login that auth promotes. Before you criticize the poster for making zero sense and not having read your own question maybe you should re-read the question once prior to inserting your foot into your mouth.. On Apr 6, 6:41 am, Krissy Masters naked.cake.ba...@gmail.com wrote: Are you talking actions or pages? If you do not want something accessed then you can _preUnderscoreTheName so not accessable via url. Your building a site that has many pages but only 1 page you can visit publically but no login to the other pages so they are never accessable by anyone makes zero sense...have you read your own question? -Original Message- From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf Of Mariano C. Sent: Wednesday, April 06, 2011 7:17 AM To: CakePHP Subject: Re: Security component and HTTP Basic Authentication I don't need a complete mechanism of authentication. I just want to protect every action with http basic and leave just one action unprotected. As soon add Auth component I should create users table and so on, and I would avoid this. On 6 Apr, 10:01, Mariano C. mariano.calan...@gmail.com wrote: So I need in couple Auth and Security component? On 6 Apr, 09:54, Krissy Masters naked.cake.ba...@gmail.com wrote: $this-Auth-allowedActions = array(); //will allow nothing $this-Auth-allowedActions = array('login'); //only allow the action in the array These are set in the controller itself so you could specify just the 1 allowed action for that controller. K -Original Message- From: cake-php@googlegroups.com [mailto:cake-php@googlegroups.com] On Behalf Of Mariano C. Sent: Wednesday, April 06, 2011 5:13 AM To: CakePHP Subject: Security component and HTTP Basic Authentication I've read this articlehttp://book.cakephp.org/view/1309/Basic-HTTP-Authentication Now I've a lot of controller with many actions to protect, so I could consider the idea to insert that beforeFilter directly inside AppController (and not in the single controller), so every action will be protected. Am I right? Now I have just one action that doesn't need authentication, what should I write inside that action to avoid auth -- Our newest site for the community: CakePHP Video Tutorialshttp://tv.cakephp.org Check out the new CakePHP Questions sitehttp://ask.cakephp.organdhelp others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorialshttp://tv.cakephp.org Check out the new CakePHP Questions sitehttp://ask.cakephp.organd help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Do I still need Model::$whitelist when using the Security component? --psybear
Hey everybody to my knowledge, the $whitelist attribute tells a model, which attributes should be writable when it comes to a save. I'm using the Security component which ensures that nobody tampers with my forms (e.g. adding a new input field), so I guess I don't need $whitelist anymore, right? Thanks for your opinion Josh -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Do I still need Model::$whitelist when using the Security component? --psybear
yes, that should be enough :) but what about ajax forms or dynamically added fields? those cannot be used with sec component in those cases you will have to manually secure your forms On 21 Jan., 12:57, psybear83 psybea...@gmail.com wrote: Hey everybody to my knowledge, the $whitelist attribute tells a model, which attributes should be writable when it comes to a save. I'm using the Security component which ensures that nobody tampers with my forms (e.g. adding a new input field), so I guess I don't need $whitelist anymore, right? Thanks for your opinion Josh -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Do I still need Model::$whitelist when using the Security component? --psybear
Interesting point! At the moment I don't have any such features, so I guess I remove my $whitelists and think about this as soon as required. :-) Have a nice weekend, Mark! On Fri, Jan 21, 2011 at 4:22 PM, euromark dereurom...@googlemail.com wrote: yes, that should be enough :) but what about ajax forms or dynamically added fields? those cannot be used with sec component in those cases you will have to manually secure your forms On 21 Jan., 12:57, psybear83 psybea...@gmail.com wrote: Hey everybody to my knowledge, the $whitelist attribute tells a model, which attributes should be writable when it comes to a save. I'm using the Security component which ensures that nobody tampers with my forms (e.g. adding a new input field), so I guess I don't need $whitelist anymore, right? Thanks for your opinion Josh -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Empty automagic dropdown lists make Security component complain? --psybear
Thanks, cricket. I'm not sure but I believe Ruby On Rails created an additional hidden input field to surpass this specification/limitation; so when there's no value selected in the dropdown, the hidden field's empty value was sent, and when a value was selected, it oversteered the hidden field's empty value. I guess this looked something like that: input type=hidden name=data[Comment][post_id] value= / select name=data[Comment][post_id] option value=1.../option /select Does this violate any HTML spec? Let's say that comments really can exist without being related to a post: so what if I want change a comment's post_id to no post, i.e. null? This wouldn't be possible without the workaround above, would it? Or I would have to specify a null value that's checked for in the controller and then manually set the post_id to null? On Fri, Dec 31, 2010 at 12:18 AM, cricket zijn.digi...@gmail.com wrote: On Thu, Dec 30, 2010 at 4:12 PM, psybear83 psybea...@gmail.com wrote: Hey everybody I just noticed that when I'm having an empty dropdown list and send it, then its key in the data (e.g. data[Comment][post_id]) goes missing, and I get a blank screen (probably because the Security component thinks the form was manually changed). Is this normal? It's part of the HTML spec. The browser won't send data for an element that effectively has no data to send. Is there a fix for this? Don't include an empty select list in the form. Or include 'Comment.post_id' in Security's $disabledFields array. ... But why would you ever have a Comment with no Post? Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Empty automagic dropdown lists make Security component complain? --psybear
Hey everybody I just noticed that when I'm having an empty dropdown list and send it, then its key in the data (e.g. data[Comment][post_id]) goes missing, and I get a blank screen (probably because the Security component thinks the form was manually changed). Is this normal? Is there a fix for this? Thanks and have a nice 2011! :-) Josh Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Empty automagic dropdown lists make Security component complain? --psybear
On Thu, Dec 30, 2010 at 4:12 PM, psybear83 psybea...@gmail.com wrote: Hey everybody I just noticed that when I'm having an empty dropdown list and send it, then its key in the data (e.g. data[Comment][post_id]) goes missing, and I get a blank screen (probably because the Security component thinks the form was manually changed). Is this normal? It's part of the HTML spec. The browser won't send data for an element that effectively has no data to send. Is there a fix for this? Don't include an empty select list in the form. Or include 'Comment.post_id' in Security's $disabledFields array. ... But why would you ever have a Comment with no Post? Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Security component and combine requireSecure() and requireLogin()
Hello, I try to use the security component in cakePHP 1.3 and want to combine the requirements to establish an SSL connection with a simple security login. First I want to redirect to a secure connection. Then transmitting the password should be okay. Both methods work fine as long as long as I don't combine them. I can automatically redirect to SSL via _forceSSL() and I can force a basic login with $this-Security-requireLogin(); Together, however, this creates an endless redirection error: The page isn't redirecting properly Firefox has detected that the server is redirecting the request for this address in a way that will never complete. The code: class AppController extends Controller{ var $components = array('Security'); function beforeFilter(){ $this-Security-blackHoleCallback = '_forceSSL'; $this-Security-requireSecure(); $this-Security-loginOptions = array( 'type'='basic', 'realm'='myrealm' ); $this-Security-loginUsers = array( 'username'='password', ); $this-Security-requireLogin(); } function _forceSSL(){ $this-redirect(HOME.$this-here); } } I tried detecting whether the protocoll is already SSL in the blackhole function and to skip the redirect if so, and I tried redefining/resetting the blackhole function just before $this- Security-requireLogin();, both to no avail. I must be missing something obvious? Thanks for any hints. PS: the HOME constant is defined in bootstrap.php, because I have to specify different ports on dev. and production systems. It works as long as I don't combine the two requirements. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security Component
sorry man but who told you that security component and AJAX do not work? On Nov 8, 10:18 pm, Dave Maharaj m...@davemaharaj.com wrote: Ok from what I have read using Security Component with AJAX request will not work. So I never added it to my app_controller, then today I decided lets see what happens so sure enough my forms all get the security div div style=display: none;input type=hidden value=POST name=_methodinput type=hidden id=Token1607686768 value=6ed5415b7526befab1ec093cac8ccd45255daba7 name=data[_Token][key]/div Now just for fun I tested my forms that use ajax and they all submit fine. So what I was reading saying it will not work are they saying it will not work as in the security feature will not work (it wont secure the forms) or it will not work as in your forms will never submit? Dave Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
RE: Security Component
No one specific. Just google it and found blackholes request (I call that not working) or use $this-Security-validatePost = false; which tells security not to validate which also means its not working (do nothing) Maybe for certain actions? I don’t know...im just trying to see what will and will not work. Im simply sending forms ajax with jquery.form pluging All my stuff works that’s why im wondering. -Original Message- From: robust solution [mailto:hussein_elhar...@yahoo.com] Sent: November-09-10 4:36 AM To: CakePHP Subject: Re: Security Component sorry man but who told you that security component and AJAX do not work? On Nov 8, 10:18 pm, Dave Maharaj m...@davemaharaj.com wrote: Ok from what I have read using Security Component with AJAX request will not work. So I never added it to my app_controller, then today I decided lets see what happens so sure enough my forms all get the security div div style=display: none;input type=hidden value=POST name=_methodinput type=hidden id=Token1607686768 value=6ed5415b7526befab1ec093cac8ccd45255daba7 name=data[_Token][key]/div Now just for fun I tested my forms that use ajax and they all submit fine. So what I was reading saying it will not work are they saying it will not work as in the security feature will not work (it wont secure the forms) or it will not work as in your forms will never submit? Dave Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security Component
it depends on what you are doing if you simply post static forms, thats fine the problems start as soon as you modify the forms via javascript/ jquery if add or remove inputs and this will most certainly result in blackholes you would need to exclude those fields manually On 9 Nov., 17:33, Dave Maharaj m...@davemaharaj.com wrote: No one specific. Just google it and found blackholes request (I call that not working) or use $this-Security-validatePost = false; which tells security not to validate which also means its not working (do nothing) Maybe for certain actions? I don’t know...im just trying to see what will and will not work. Im simply sending forms ajax with jquery.form pluging All my stuff works that’s why im wondering. -Original Message- From: robust solution [mailto:hussein_elhar...@yahoo.com] Sent: November-09-10 4:36 AM To: CakePHP Subject: Re: Security Component sorry man but who told you that security component and AJAX do not work? On Nov 8, 10:18 pm, Dave Maharaj m...@davemaharaj.com wrote: Ok from what I have read using Security Component with AJAX request will not work. So I never added it to my app_controller, then today I decided lets see what happens so sure enough my forms all get the security div div style=display: none;input type=hidden value=POST name=_methodinput type=hidden id=Token1607686768 value=6ed5415b7526befab1ec093cac8ccd45255daba7 name=data[_Token][key]/div Now just for fun I tested my forms that use ajax and they all submit fine. So what I was reading saying it will not work are they saying it will not work as in the security feature will not work (it wont secure the forms) or it will not work as in your forms will never submit? Dave Check out the new CakePHP Questions sitehttp://cakeqs.organd help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
RE: Security Component
Right on thanks for that bit. I am not modifying any of the forms, simply AJAX submit. But 1 thing that has me puzzled was I added Security component, used firebug to edit the hash value, change a few field names / values and it still submitted fine (no blackholes) so that where I was getting all this Security chatter about. It seemed to do nothing. It did not blackhole / break anything but it also did not secure the form either. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: how to disable security component for a single action?
Just in case someone finds this at google (like me): Don't forget to add another = after $this-action. Or better: if(isset($this-Security) 'myaction' == $this-action) { $this-Security-enabled = false; -- View this message in context: http://cakephp.19694.n2.nabble.com/how-to-disable-security-component-for-a-single-action-tp682715p5716405.html Sent from the CakePHP mailing list archive at Nabble.com. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: how to disable security component for a single action?
Hi, Try this $this-Security-validatePost = false or if you have a blackHoleCallback put the exception action there. On Mon, Nov 8, 2010 at 12:50 PM, massl vermas...@gmail.com wrote: Just in case someone finds this at google (like me): Don't forget to add another = after $this-action. Or better: if(isset($this-Security) 'myaction' == $this-action) { $this-Security-enabled = false; -- View this message in context: http://cakephp.19694.n2.nabble.com/how-to-disable-security-component-for-a-single-action-tp682715p5716405.html Sent from the CakePHP mailing list archive at Nabble.com. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.comcake-php%2bunsubscr...@googlegroups.comFor more options, visit this group at http://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Security Component
Ok from what I have read using Security Component with AJAX request will not work. So I never added it to my app_controller, then today I decided lets see what happens so sure enough my forms all get the security div div style=display: none;input type=hidden value=POST name=_methodinput type=hidden id=Token1607686768 value=6ed5415b7526befab1ec093cac8ccd45255daba7 name=data[_Token][key]/div Now just for fun I tested my forms that use ajax and they all submit fine. So what I was reading saying it will not work are they saying it will not work as in the security feature will not work (it wont secure the forms) or it will not work as in your forms will never submit? Dave Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security Component
Most of the time it will not validate and blackhole (throw a whitepage), it was easiest to just disabled it in AJAX calls. $this-Security-validatePost = false; We dont need validation in AJAX anyways as we usually need some sort of json response. On Nov 8, 2:18 pm, Dave Maharaj m...@davemaharaj.com wrote: Ok from what I have read using Security Component with AJAX request will not work. So I never added it to my app_controller, then today I decided lets see what happens so sure enough my forms all get the security div div style=display: none;input type=hidden value=POST name=_methodinput type=hidden id=Token1607686768 value=6ed5415b7526befab1ec093cac8ccd45255daba7 name=data[_Token][key]/div Now just for fun I tested my forms that use ajax and they all submit fine. So what I was reading saying it will not work are they saying it will not work as in the security feature will not work (it wont secure the forms) or it will not work as in your forms will never submit? Dave Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
RE: Security Component
All my responses are JSON with true / false then do something like you said. I was just curious as everything I seem to have found says Security Component will not work so just trying to get an answer on what exactly will not work means. ? The component will add the Token / hash but its not checked ? ? The whole thing will fail ? ? The component does nothing ? So far in my testing everything still works but if I edit the form with firebug it still submits (my validation returns JSON response error ) so I guess the security component does nothing. So far no blackhole / whitepage errors though. Just curious is all. Thanks, Dave -Original Message- From: Miles J [mailto:mileswjohn...@gmail.com] Sent: November-08-10 7:58 PM To: CakePHP Subject: Re: Security Component Most of the time it will not validate and blackhole (throw a whitepage), it was easiest to just disabled it in AJAX calls. $this-Security-validatePost = false; We dont need validation in AJAX anyways as we usually need some sort of json response. On Nov 8, 2:18 pm, Dave Maharaj m...@davemaharaj.com wrote: Ok from what I have read using Security Component with AJAX request will not work. So I never added it to my app_controller, then today I decided lets see what happens so sure enough my forms all get the security div div style=display: none;input type=hidden value=POST name=_methodinput type=hidden id=Token1607686768 value=6ed5415b7526befab1ec093cac8ccd45255daba7 name=data[_Token][key]/div Now just for fun I tested my forms that use ajax and they all submit fine. So what I was reading saying it will not work are they saying it will not work as in the security feature will not work (it wont secure the forms) or it will not work as in your forms will never submit? Dave Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security Component
It has been a while but usually the response would just be empty, even if I was setting data. On Nov 8, 3:49 pm, Dave Maharaj m...@davemaharaj.com wrote: All my responses are JSON with true / false then do something like you said. I was just curious as everything I seem to have found says Security Component will not work so just trying to get an answer on what exactly will not work means. ? The component will add the Token / hash but its not checked ? ? The whole thing will fail ? ? The component does nothing ? So far in my testing everything still works but if I edit the form with firebug it still submits (my validation returns JSON response error ) so I guess the security component does nothing. So far no blackhole / whitepage errors though. Just curious is all. Thanks, Dave -Original Message- From: Miles J [mailto:mileswjohn...@gmail.com] Sent: November-08-10 7:58 PM To: CakePHP Subject: Re: Security Component Most of the time it will not validate and blackhole (throw a whitepage), it was easiest to just disabled it in AJAX calls. $this-Security-validatePost = false; We dont need validation in AJAX anyways as we usually need some sort of json response. On Nov 8, 2:18 pm, Dave Maharaj m...@davemaharaj.com wrote: Ok from what I have read using Security Component with AJAX request will not work. So I never added it to my app_controller, then today I decided lets see what happens so sure enough my forms all get the security div div style=display: none;input type=hidden value=POST name=_methodinput type=hidden id=Token1607686768 value=6ed5415b7526befab1ec093cac8ccd45255daba7 name=data[_Token][key]/div Now just for fun I tested my forms that use ajax and they all submit fine. So what I was reading saying it will not work are they saying it will not work as in the security feature will not work (it wont secure the forms) or it will not work as in your forms will never submit? Dave Check out the new CakePHP Questions sitehttp://cakeqs.organd help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security component and the dreaded blackhole
i just spent an hour trying to debug a similar situation... i finally noticed that i forgot to put echo $form-end() at the end of the form... On Sep 19, 1:22 am, Jeremy Burns | Class Outfit jeremybu...@classoutfit.com wrote: Yup - I know all this and if you read the post you'll see that I am using the form helper and am not using javascript. My question was how do you debug an issue with the Security component?. Jeremy Burns Class Outfit jeremybu...@classoutfit.comhttp://www.classoutfit.com On 18 Sep 2010, at 21:33, bwelli...@gmail.com wrote: When using the Security Component you must use the FormHelper to create your forms. The Security Component looks for certain indicators that are created and managed by the FormHelper (especially those created in create() and end()). Dynamically altering the fields that are submitted in a POST request (e.g. disabling, deleting or creating new fields via JavaScript) is likely to trigger a black-holing of the request. See the $validatePost or $disabledFields configuration parameters. http://book.cakephp.org/view/1296/Security-Component On Sep 8, 10:52 am, Jeremy Burns | Class Outfit jeremybu...@classoutfit.com wrote: Yup - all the way through. No java or funny stuff either. Jeremy Burns Class Outfit jeremybu...@classoutfit.comhttp://www.classoutfit.com On 8 Sep 2010, at 18:20, Miles J wrote: Are you creating input fields without the form helper? http://milesj.me/blog/read/43/Protecting-Your-Forms-With-The-Security... On Sep 8, 8:03 am, Jeremy Burns jeremybu...@classoutfit.com wrote: I have enabled the Security component in my app_controller and mostly this works just fine. But I have one particular view that falls into the blackhole when its form is posted. It works fine if I type $this-Security-validatePost = false; into the beforeFilter() of the controller. I can't see anything particularly odd about the form, and without posting reams of code - how does one go about debugging this? Check out the new CakePHP Questions sitehttp://cakeqs.organdhelp others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions sitehttp://cakeqs.organd help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security component and the dreaded blackhole
i always hated the security component for that had similar issues some time ago. debugging is almost impossible^^ at least in debug 0 it should not blackhole completely (but maybe throw some errors or whatever) if there is such an option i didnt find it yet On 20 Okt., 22:43, austin awe...@gmail.com wrote: i just spent an hour trying to debug a similar situation... i finally noticed that i forgot to put echo $form-end() at the end of the form... On Sep 19, 1:22 am, Jeremy Burns | Class Outfit jeremybu...@classoutfit.com wrote: Yup - I know all this and if you read the post you'll see that I am using the form helper and am not using javascript. My question was how do you debug an issue with the Security component?. Jeremy Burns Class Outfit jeremybu...@classoutfit.comhttp://www.classoutfit.com On 18 Sep 2010, at 21:33, bwelli...@gmail.com wrote: When using the Security Component you must use the FormHelper to create your forms. The Security Component looks for certain indicators that are created and managed by the FormHelper (especially those created in create() and end()). Dynamically altering the fields that are submitted in a POST request (e.g. disabling, deleting or creating new fields via JavaScript) is likely to trigger a black-holing of the request. See the $validatePost or $disabledFields configuration parameters. http://book.cakephp.org/view/1296/Security-Component On Sep 8, 10:52 am, Jeremy Burns | Class Outfit jeremybu...@classoutfit.com wrote: Yup - all the way through. No java or funny stuff either. Jeremy Burns Class Outfit jeremybu...@classoutfit.comhttp://www.classoutfit.com On 8 Sep 2010, at 18:20, Miles J wrote: Are you creating input fields without the form helper? http://milesj.me/blog/read/43/Protecting-Your-Forms-With-The-Security... On Sep 8, 8:03 am, Jeremy Burns jeremybu...@classoutfit.com wrote: I have enabled the Security component in my app_controller and mostly this works just fine. But I have one particular view that falls into the blackhole when its form is posted. It works fine if I type $this-Security-validatePost = false; into the beforeFilter() of the controller. I can't see anything particularly odd about the form, and without posting reams of code - how does one go about debugging this? Check out the new CakePHP Questions sitehttp://cakeqs.organdhelpothers with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions sitehttp://cakeqs.organdhelp others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security component and the dreaded blackhole
When using the Security Component you must use the FormHelper to create your forms. The Security Component looks for certain indicators that are created and managed by the FormHelper (especially those created in create() and end()). Dynamically altering the fields that are submitted in a POST request (e.g. disabling, deleting or creating new fields via JavaScript) is likely to trigger a black-holing of the request. See the $validatePost or $disabledFields configuration parameters. http://book.cakephp.org/view/1296/Security-Component On Sep 8, 10:52 am, Jeremy Burns | Class Outfit jeremybu...@classoutfit.com wrote: Yup - all the way through. No java or funny stuff either. Jeremy Burns Class Outfit jeremybu...@classoutfit.comhttp://www.classoutfit.com On 8 Sep 2010, at 18:20, Miles J wrote: Are you creating input fields without the form helper? http://milesj.me/blog/read/43/Protecting-Your-Forms-With-The-Security... On Sep 8, 8:03 am, Jeremy Burns jeremybu...@classoutfit.com wrote: I have enabled the Security component in my app_controller and mostly this works just fine. But I have one particular view that falls into the blackhole when its form is posted. It works fine if I type $this-Security-validatePost = false; into the beforeFilter() of the controller. I can't see anything particularly odd about the form, and without posting reams of code - how does one go about debugging this? Check out the new CakePHP Questions sitehttp://cakeqs.organd help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security component and the dreaded blackhole
Yup - I know all this and if you read the post you'll see that I am using the form helper and am not using javascript. My question was how do you debug an issue with the Security component?. Jeremy Burns Class Outfit jeremybu...@classoutfit.com http://www.classoutfit.com On 18 Sep 2010, at 21:33, bwelli...@gmail.com wrote: When using the Security Component you must use the FormHelper to create your forms. The Security Component looks for certain indicators that are created and managed by the FormHelper (especially those created in create() and end()). Dynamically altering the fields that are submitted in a POST request (e.g. disabling, deleting or creating new fields via JavaScript) is likely to trigger a black-holing of the request. See the $validatePost or $disabledFields configuration parameters. http://book.cakephp.org/view/1296/Security-Component On Sep 8, 10:52 am, Jeremy Burns | Class Outfit jeremybu...@classoutfit.com wrote: Yup - all the way through. No java or funny stuff either. Jeremy Burns Class Outfit jeremybu...@classoutfit.comhttp://www.classoutfit.com On 8 Sep 2010, at 18:20, Miles J wrote: Are you creating input fields without the form helper? http://milesj.me/blog/read/43/Protecting-Your-Forms-With-The-Security... On Sep 8, 8:03 am, Jeremy Burns jeremybu...@classoutfit.com wrote: I have enabled the Security component in my app_controller and mostly this works just fine. But I have one particular view that falls into the blackhole when its form is posted. It works fine if I type $this-Security-validatePost = false; into the beforeFilter() of the controller. I can't see anything particularly odd about the form, and without posting reams of code - how does one go about debugging this? Check out the new CakePHP Questions sitehttp://cakeqs.organd help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Security component: Disabling a single controller action
Is it possible to exclude a single controller action from the Security component? At present I have $this-Security-validatePost = false; in the controller's beforeFilter, which means that all actions are insecure. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security component: Disabling a single controller action
if ($this-action == 'foobar') { $this-Security-validatePost = false; } On Sep 16, 11:53 pm, Jeremy Burns jeremybu...@classoutfit.com wrote: Is it possible to exclude a single controller action from the Security component? At present I have $this-Security-validatePost = false; in the controller's beforeFilter, which means that all actions are insecure. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security component: Disabling a single controller action
Perfect and so simple. I should have thought of that myself. Thanks. Jeremy Burns Class Outfit jeremybu...@classoutfit.com http://www.classoutfit.com On 17 Sep 2010, at 17:58, Miles J wrote: if ($this-action == 'foobar') { $this-Security-validatePost = false; } On Sep 16, 11:53 pm, Jeremy Burns jeremybu...@classoutfit.com wrote: Is it possible to exclude a single controller action from the Security component? At present I have $this-Security-validatePost = false; in the controller's beforeFilter, which means that all actions are insecure. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Security component and the dreaded blackhole
I have enabled the Security component in my app_controller and mostly this works just fine. But I have one particular view that falls into the blackhole when its form is posted. It works fine if I type $this- Security-validatePost = false; into the beforeFilter() of the controller. I can't see anything particularly odd about the form, and without posting reams of code - how does one go about debugging this? Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security component and the dreaded blackhole
Are you creating input fields without the form helper? http://milesj.me/blog/read/43/Protecting-Your-Forms-With-The-Security-Component On Sep 8, 8:03 am, Jeremy Burns jeremybu...@classoutfit.com wrote: I have enabled the Security component in my app_controller and mostly this works just fine. But I have one particular view that falls into the blackhole when its form is posted. It works fine if I type $this-Security-validatePost = false; into the beforeFilter() of the controller. I can't see anything particularly odd about the form, and without posting reams of code - how does one go about debugging this? Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security component and the dreaded blackhole
Yup - all the way through. No java or funny stuff either. Jeremy Burns Class Outfit jeremybu...@classoutfit.com http://www.classoutfit.com On 8 Sep 2010, at 18:20, Miles J wrote: Are you creating input fields without the form helper? http://milesj.me/blog/read/43/Protecting-Your-Forms-With-The-Security-Component On Sep 8, 8:03 am, Jeremy Burns jeremybu...@classoutfit.com wrote: I have enabled the Security component in my app_controller and mostly this works just fine. But I have one particular view that falls into the blackhole when its form is posted. It works fine if I type $this-Security-validatePost = false; into the beforeFilter() of the controller. I can't see anything particularly odd about the form, and without posting reams of code - how does one go about debugging this? Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security Component; custom form (rich editor)
A bit late though, but thanks! On 11 jul, 03:48, nurvzy nur...@gmail.com wrote: Set the security component to not validate that field. http://book.cakephp.org/view/1297/Configuration Hope that helps, Nick On Jul 10, 1:28 pm, Tomatosoup wiegersteenhui...@gmail.com wrote: Hello, I use the Security component, but one (kind of custom) form gets invalidated. Is there some way to validate an invalidated (because of the token the Security component generates) form? Because I have an edit page in which I have a DIV that acts as a Rich Text Editor. Whenever one clicks the submit button the HTML content of the DIV is transferred into a hidden form field. Much thanks in advance for any advice. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security Component; custom form (rich editor)
Your welcome. :) On Jul 30, 5:32 pm, Tomatosoup wiegersteenhui...@gmail.com wrote: A bit late though, but thanks! On 11 jul, 03:48, nurvzy nur...@gmail.com wrote: Set the security component to not validate that field. http://book.cakephp.org/view/1297/Configuration Hope that helps, Nick On Jul 10, 1:28 pm, Tomatosoup wiegersteenhui...@gmail.com wrote: Hello, I use the Security component, but one (kind of custom) form gets invalidated. Is there some way to validate an invalidated (because of the token the Security component generates) form? Because I have an edit page in which I have a DIV that acts as a Rich Text Editor. Whenever one clicks the submit button the HTML content of the DIV is transferred into a hidden form field. Much thanks in advance for any advice. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Security Component; custom form (rich editor)
Hello, I use the Security component, but one (kind of custom) form gets invalidated. Is there some way to validate an invalidated (because of the token the Security component generates) form? Because I have an edit page in which I have a DIV that acts as a Rich Text Editor. Whenever one clicks the submit button the HTML content of the DIV is transferred into a hidden form field. Much thanks in advance for any advice. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security Component; custom form (rich editor)
Set the security component to not validate that field. http://book.cakephp.org/view/1297/Configuration Hope that helps, Nick On Jul 10, 1:28 pm, Tomatosoup wiegersteenhui...@gmail.com wrote: Hello, I use the Security component, but one (kind of custom) form gets invalidated. Is there some way to validate an invalidated (because of the token the Security component generates) form? Because I have an edit page in which I have a DIV that acts as a Rich Text Editor. Whenever one clicks the submit button the HTML content of the DIV is transferred into a hidden form field. Much thanks in advance for any advice. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Problem using Security Component having integer as fieldnames
Hi all, I looked up in the cake core code and found that there are to methods that generate the fields hash. The first is in the form helper and generates the fields hash that's displayed at the end of the form. The second one generates a fields hash based on the submitted fields in the Security Components _validatePost method for comparing with the submitted fields hash from the form helper. I compared these to methods of generating the fields hash and found the following code in the _validatePost method that's missing in the form helper: $multi = array(); foreach ($fieldList as $i = $key) { if (preg_match('/\.\d+$/', $key)) { $multi[$i] = preg_replace('/\.\d+$/', '', $key); unset($fieldList[$i]); } } if (!empty($multi)) { $fieldList += array_unique($multi); } I doesn't found the sense of these code and it's logical that the validation fails when the fields hash is generated in different ways. When I deactivate the code above, the validation works correctly. Do you know any sense of these lines or can I remove them from the code? Thanks a lot for your answers! Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Problem using Security Component having integer as fieldnames
Hi, I've a problem using cake's security component when my field names are integer. For example I've several checkboxes named: data[MyModel][1] data[MyModel][2] data[MyModel][3] When I activate the security component, the validation of the post data failes. The fields are properly written by the formhelper, but every time I submit the form my application runs into the blackhole. What am I doing wrong or is this a bug in the cake core? Thanks a lot for your help! Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Debugging the Security component
I have the Security component in my app_controller's $components array. The home page of a site has a simple text field to accept some data. When the form is submitted it is parsed through a controller with a very simple add function. This form submission is being intercepted and blackholed by the security component and presenting a blank page. Refreshing the page sends you back to the original home page. I have added a simple debug($controller) statement to the Security component's blackHole function. How do i determine why this submission is being blackholed? Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Debugging the Security component
I worked it out. In my cache there were two views for the same page. One called sitename.php, the other called sitename_pages_home.php. They are of course both from the same source. However, it seems as if the Security component didn't like both of them being present. I cleared the cache and started again, this time no blackhole. Doesn't really explain the reason behind this, but at least I know the cure. I placed a cake:nocache/cake:nocache block around the form for good measure. Jeremy Burns jeremybu...@me.com On 28 Feb 2010, at 11:01, Jeremy Burns wrote: I have the Security component in my app_controller's $components array. The home page of a site has a simple text field to accept some data. When the form is submitted it is parsed through a controller with a very simple add function. This form submission is being intercepted and blackholed by the security component and presenting a blank page. Refreshing the page sends you back to the original home page. I have added a simple debug($controller) statement to the Security component's blackHole function. How do i determine why this submission is being blackholed? Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Debugging the Security component
Issue not solved. The page is still being cached twice, which in and of itself is not a problem. With the form inside a nocache block, however, I am getting this error: Fatal error: Class 'Security' not found /cake/libs/view/helpers/form.php on line 378 Any clues please? Jeremy Burns jeremybu...@me.com On 28 Feb 2010, at 11:32, Jeremy Burns wrote: I worked it out. In my cache there were two views for the same page. One called sitename.php, the other called sitename_pages_home.php. They are of course both from the same source. However, it seems as if the Security component didn't like both of them being present. I cleared the cache and started again, this time no blackhole. Doesn't really explain the reason behind this, but at least I know the cure. I placed a cake:nocache/cake:nocache block around the form for good measure. Jeremy Burns jeremybu...@me.com On 28 Feb 2010, at 11:01, Jeremy Burns wrote: I have the Security component in my app_controller's $components array. The home page of a site has a simple text field to accept some data. When the form is submitted it is parsed through a controller with a very simple add function. This form submission is being intercepted and blackholed by the security component and presenting a blank page. Refreshing the page sends you back to the original home page. I have added a simple debug($controller) statement to the Security component's blackHole function. How do i determine why this submission is being blackholed? Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security Component - requirePost() method. Change from Link to Form
I did manage to solve it and directly after I had posted this! I retained the ... echo $form-create('Product', array('action'='edit/'.$this-data ['Product']['id'])); on list.ctp. I changed the link on edit.ctp to a verbose link without the id i.e. $form-create('Product', array('action'='edit')). The $id was only needed on index.ctp to identify which record edit needed to read. I must admit to being a bit paranoid about hacking and tend to err on safe side. I know POSTing isn't safe either but it's a step above GET. I will always retain the Security Token. Thanks for responding. DaveTheRave. On 20 Jan, 18:02, Miles J mileswjohn...@gmail.com wrote: I may be wrong in this, but im pretty sure the requirePost() is only supposed to be used once. It should only be used on the initial request of the page, not subsequently after. Why would you have that page require a post to access? And not just turn it back to a link? It doesn't solve any problems, it just adds more complexity to it. The only time requirePost() is a great idea, is when doing a delete (/ products/delete/1), where that page must be hit with a post. Once hit with a post, it does the delete logic and redirects or flashes. On Jan 20, 9:54 am, DaveTheRave dr-s...@hotmail.com wrote: I have a test CakePHP Application that lists various products on a single page called views/products/index.ctp. To start with each product had an Edit link that targeted action products/edit/productid. This worked fine. I then added $this-Security-requirePost('edit');. I replaced the link on index.ctp page with a form defined as follows... WAS... echo $html-link(__('Edit', true), '/products/edit/'.$this-data ['Product']['id']); NOW... echo $form-create('Product', array('action'='edit/'.$this-data ['Product']['id'])); echo $form-submit(__('Edit', true)); echo $form-end(); The Edit page again uses the $form helper to create a form with a post action for posting back the changes to $this-data and uses the syntax shown below. echo $form-create('Product', array('action'='edit/'.$this-data ['Product']['id'])); echo $form-input('title'); . echo $form-end(__('Submit', true)); When I click the Edit button it does take me to the Edit page. The URL now shows the action path .../products/edit/productid. After making changes I press the Submit button on the Edit page, but I get sent to the blackHoleCallback. When requirePost is removed, everything works fine! I should point out that a Token is being created by the SecurityComponent and is held in $this-data. As a result I have had to change the checks within the Edit action in the controller so that they check for $this-data['Product'] being empty rather than just $this-data. Can anyone tell me how I should have done this? Thanks, DaveTheRave- Hide quoted text - - Show quoted text - Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Security Component - requirePost() method. Change from Link to Form
I have a test CakePHP Application that lists various products on a single page called views/products/index.ctp. To start with each product had an Edit link that targeted action products/edit/productid. This worked fine. I then added $this-Security-requirePost('edit');. I replaced the link on index.ctp page with a form defined as follows... WAS... echo $html-link(__('Edit', true), '/products/edit/'.$this-data ['Product']['id']); NOW... echo $form-create('Product', array('action'='edit/'.$this-data ['Product']['id'])); echo $form-submit(__('Edit', true)); echo $form-end(); The Edit page again uses the $form helper to create a form with a post action for posting back the changes to $this-data and uses the syntax shown below. echo $form-create('Product', array('action'='edit/'.$this-data ['Product']['id'])); echo $form-input('title'); . echo $form-end(__('Submit', true)); When I click the Edit button it does take me to the Edit page. The URL now shows the action path .../products/edit/productid. After making changes I press the Submit button on the Edit page, but I get sent to the blackHoleCallback. When requirePost is removed, everything works fine! I should point out that a Token is being created by the SecurityComponent and is held in $this-data. As a result I have had to change the checks within the Edit action in the controller so that they check for $this-data['Product'] being empty rather than just $this-data. Can anyone tell me how I should have done this? Thanks, DaveTheRave Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security Component - requirePost() method. Change from Link to Form
I may be wrong in this, but im pretty sure the requirePost() is only supposed to be used once. It should only be used on the initial request of the page, not subsequently after. Why would you have that page require a post to access? And not just turn it back to a link? It doesn't solve any problems, it just adds more complexity to it. The only time requirePost() is a great idea, is when doing a delete (/ products/delete/1), where that page must be hit with a post. Once hit with a post, it does the delete logic and redirects or flashes. On Jan 20, 9:54 am, DaveTheRave dr-s...@hotmail.com wrote: I have a test CakePHP Application that lists various products on a single page called views/products/index.ctp. To start with each product had an Edit link that targeted action products/edit/productid. This worked fine. I then added $this-Security-requirePost('edit');. I replaced the link on index.ctp page with a form defined as follows... WAS... echo $html-link(__('Edit', true), '/products/edit/'.$this-data ['Product']['id']); NOW... echo $form-create('Product', array('action'='edit/'.$this-data ['Product']['id'])); echo $form-submit(__('Edit', true)); echo $form-end(); The Edit page again uses the $form helper to create a form with a post action for posting back the changes to $this-data and uses the syntax shown below. echo $form-create('Product', array('action'='edit/'.$this-data ['Product']['id'])); echo $form-input('title'); . echo $form-end(__('Submit', true)); When I click the Edit button it does take me to the Edit page. The URL now shows the action path .../products/edit/productid. After making changes I press the Submit button on the Edit page, but I get sent to the blackHoleCallback. When requirePost is removed, everything works fine! I should point out that a Token is being created by the SecurityComponent and is held in $this-data. As a result I have had to change the checks within the Edit action in the controller so that they check for $this-data['Product'] being empty rather than just $this-data. Can anyone tell me how I should have done this? Thanks, DaveTheRave Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security component and session timeout
Yes the security component adds a hidden token/timer within the forms. Their is a time limit that black holes if you sit on the page too long. Not sure if you can configure it. Try doing a search within the Security component. On Jan 18, 8:43 pm, Stinkbug justink...@gmail.com wrote: Just checking to see if anyone has any recommendations on this before I start implementing something myself. On Dec 16 2009, 10:49 pm, Stinkbug justink...@gmail.com wrote: I've been using the security component for quite some time, but there is one issue that I've never been able to figure out with it. When I have a form and the user takes a while to fill it out, it will get blackholed. I'm guesing the security component is using a session some how on the form. It makes the form only good for so many minutes (I'm not totally sure how long). However, adjusting session setting in the core doesn't seem to change this. Can someone explain what's going on and if there is a way to change this so that a form can sit there a little longer without getting blackholed? Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Security component and session timeout
Just checking to see if anyone has any recommendations on this before I start implementing something myself. On Dec 16 2009, 10:49 pm, Stinkbug justink...@gmail.com wrote: I've been using the security component for quite some time, but there is one issue that I've never been able to figure out with it. When I have a form and the user takes a while to fill it out, it will get blackholed. I'm guesing the security component is using a session some how on the form. It makes the form only good for so many minutes (I'm not totally sure how long). However, adjusting session setting in the core doesn't seem to change this. Can someone explain what's going on and if there is a way to change this so that a form can sit there a little longer without getting blackholed? Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Security component and session timeout
I've been using the security component for quite some time, but there is one issue that I've never been able to figure out with it. When I have a form and the user takes a while to fill it out, it will get blackholed. I'm guesing the security component is using a session some how on the form. It makes the form only good for so many minutes (I'm not totally sure how long). However, adjusting session setting in the core doesn't seem to change this. Can someone explain what's going on and if there is a way to change this so that a form can sit there a little longer without getting blackholed? Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en